Vulnerability Disclosure Policy
THIS POLICY DOES NOT APPLY TO OUR CLIENTS OR VULNERABILITIES DISCOVERED THROUGH OUR CLIENT ENGAGEMENTS, WHICH ARE PROTECTED UNDER NDA. IT ONLY APPLIES TO PUBLICLY AVAILABLE PRODUCTS FOR VULNERABILITIES THAT MIGHT AFFECT CONSUMERS.
This policy outlines how PeopleSec LLC handles responsible vulnerability disclosure to product vendors, and the general public. PeopleSec LLC will responsibly and promptly notify the Responsible product vendor (MAINTAINER) of a security flaw with their product(s) or service(s). It is the policy of PeopleSec LLC to ethically and responsibly disclose security vulnerabilities in a way that is most beneficial to all parties.
PeopleSec LLC will first attempt contact through any appropriate contacts or formal mechanisms listed on the vendor (MAINTAINER) Web site, with the pertinent information about the vulnerability.
The vendor will be given 5 business days from the DATE OF CONTACT; If the vendor fails to acknowledge PeopleSec LLC’s initial notification within five business days, PeopleSec LLC will initiate a second formal contact by telephone to a representative for that vendor. If the vendor fails to respond after an additional 5 business days following the second notification PeopleSec LLC will review the issue and decide on a course of action which may include public disclosure
The vendor will be responsible for providing status updates in regards to resolution of the ISSUE at a minimum of once every 5 business days.
If the vendor discontinues communication for more than 10 business days after initial date of contact, PeopleSec LLC will consider vendor non-responsive and decide a next course of action which may include public disclosure.
PeopleSec LLC will allow the vendor 30 days to address the vulnerability. At the end of the deadline if a vendor is not responsive (discontinued communication for 10 days or more) or unable to provide a reasonable statement as to why the vulnerability is not fixed PeopleSec LLC will may take action which may involve public disclosure in an effort to protect the public.
If practical, PeopleSec LLC will make disclosure in a limited way involving mitigation suggestions to enable the defensive community to protect the public.
PeopleSec LLC may make a disclosure at an earlier or later date, depending on the situation, including but not limited to; vulnerability information made publicly available by another party, a vulnerability exploited “in the wild”, fixes are considerably difficult to build, or a vendor is non-responsive.
PeopleSec LLC reserves the right to privately share vulnerability discoveries made during independent research at any time with other security vendors or other third parties in order to help secure systems from attacks and provide a protective response to the public.
Communications regarding disclosures to or from PeopleSec LLC shall use the 0day@PeopleSec.org address. If the vendor wishes to encrypt communications, this should be explicitly stated and they should provide us with their PGP/GPG public key.